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(57) Abstract 

A data processing system comprising a plu- 
rality of computers (2) interconnected through a lo- 
cal network (1), preferably in form of a ring ne- 
twork, said network (I) being connected to a ne- 
twork adaptor (7) which is able to receive all infor- 
mation on the network (7). The network adaptor (7) 
is connected to a computer (8), which together with 
the adaptor (7) can perform an assembling and 
scanning of substantially all fdes on the network 
and carry out a recognition of virus signatures, if 
any. In this manner the individual file packets circu- 
lating in the ring network are assembled* said file 
packets being assembled in a file and scanned for 
virus signatures, if any. When a virus signature is 
detected in the file, information is simultaneously 
provided on the transmitting stations and the receiv- 
ing stations, whereafter it is possible to transmit the 
vaccine to the stations in question. The close-down 
period of the system due to detection of a virus has 
thereby been reduced to zero. 
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NETWORK ADAPTOR CONNECTED TO A COMPUTER FOR VIRUS 
SIGNATURE RECOGNITION IN ALL FILES ON A NETWORK 

Technical Field 

The invention relates to a data processing system comprising a plurality 
of computers interconnected through a local network, preferably in form 
5 of a ring network, said network being connected to a network adaptor 
which is able to receive all information on the network. 

Background Art 

Such a network adaptor is able to measure the performance and the 
speed of the network, inter alia in order to evaluate whether the network 
10 is optimally structured. 

A ring network can be connected to a network server. The network 
server can comprise a network program accessible for the users at each 
work station. Each user can furthermore have access to the logic drive 
of the network server, whereby the user can enter programs and data 

15 which can subsequently be read by another user without floppy disks 
being exchanged between the users. The network server can further- 
more include a virus program accessible for the user of a work station so 
as to enable him to scan the local disk for virae. The user can carry out 
a virus scanning at regular intervals. A virus, if any, may, however, have 

20 infected a large number of work stations before being detected. 

Description of the Invention 

The object of the invention is to provide a data processing system of the 
above type, whereby a virus, if any, and computers infected thereby are 
detected far quicker than previously so as to limit the spreading of the 
25 virus. 
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The data processing system according to the Invention is characterised 
in that the network adaptor is connected to a computer, which together 
with the adaptor can catch and scan ail files on the network and carry 
out a recognition of virus signatures (bit patterns), if any, in the files. As 
5 a result, the fife packets circulating in the ring network are assembled in 
one file. After the assembling in one file, the packets are scanned for 
detection of virae, if any. If a virus signature is detected in the file, 
information on the transmitting and receiving stations is provided and an 
alarm is activated, whereby a further spreading of the virus can be pre- 
10 vented. 

Moreover according to the invention, the computer connected to the 
adaptor may be adapted to transmit a so-calfed "vaccine" to the com- 
puters optionally infected by said virus or said virae. The close-down 
period of the system due to detection of a virus has thereby been 
15 reduced to zero. 

Furthermore according to the invention, the vaccine may be imple- 
mented by causing the computer connected to the adaptor to start a 
scanning on the infected computers by means of a program known per 
se, said program neutralizing the virus. 

20 In addition according to the invention, the computer connected to the 
adaptor may comprise a neural network in form of a program adapted to 
recognize the usual interchange of data on the local network and to 
actuate an alarm if an unusual interchange of data, such as an unknown 
virus signature, is recognized. In this manner it is also possible to detect 

25 hitherto unknown virae and thereby to obtain a better virus detection 
than previously known. 

Furthermore the neural network may according to the invention comprise 
neuroivlike elements. 
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Finally the neural network may according to the invention be composed 
of a Boltzmann machine. 

Brief Description of the Drawings 

The invention is explained in greater detail below with reference to the 
5 accompanying drawings, in which 

Fig. 1 illustrates a data processing system according to the invention 
comprising a local network in form of a ring network connected to a 
number of computers, one of the computers being equipped with a 
particular network adaptor, 

10 Fig. 2 illustrates how a computer is infected and subsequently infects 
the network, 

Fig. 3 illustrates how an adaptor connected to the network can assemble 
packets of information circulating in the network in order to detect virae, 
if any, 

1 5 Fig. 4 illustrates a data processing system comprising a local network in 
form of a string network connected to a plurality of computers, one of 
said computers being equipped with a particular network adaptor, 

Fig. 5 illustrates a neuron for recognition of hitherto unknown virae. 

Fig. 6 illustrates a neural network comprising an input layer, an inter- 
20 mediate layer, and an output layer, and 

Fig. 7 illustrate examples of hypercube multiprocessor structures, in 
which the data processing system according to the invention can be 
implemented. 
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Best Mode for Carrying Out the Invention 

The data processing system according to the invention comprises a 
plurality of computers 2 in form of personal computers interconnected 
through a local network in form of a ring network 1 . A virus can infect 
5 a personal computer 2 via a floppy disk 3 inserted in the computer 2 
copying the program on the floppy disk 3. As a result the computer is 
infected by the virus in said program. The infected program can then be 
transferred via the network to one or several of the remaining personal 
computers 2 connected to the network 1 . The virus is transferred when 

TO the program or the program file is divided into packets being transmitted 
in series via the ring network 1. Each packet includes an address indicat- 
ing the work station (the personal computer) receiving the packet. The 
packet circulates in the network 1 r and at the receiving work station the 
address is recognized whereafter the packet can be read by said station. 

15 This station is usually the only work station capable of reading the 
packet and subsequently marking said packet as read. Then the packet 
is retransmitted via the network 1 to the original work station which 
checks whether said; packet has been read or not. In the affirmative, the 
packet can be emptied and marked empty. 

20 The network 1 is furthermore connected to a network server 5, Previ- 
ously, the network server 5 included a program allowing the user to 
perform a virus scanning at regular intervals of the programs in the 
personal computer 2. Such a virus control is, however, encumbered with 
the drawback that a virus, if any, may be spread to a large number of 

25 work stations of the data processing system before an alarm is acti- 
vated. 

According to the invention, one of the work stations, viz. the work 
station 8, is connected to a particular network adaptor 7, such as an 
IBM trace and performance adaptor which is abfe to receive all informa- 



WO 93/22723 



PCT/DK93/00140 



5 

tion on the network 1 . The network adaptor 7 receives selected packets 
on the network, viz. only packets containing data of interest. The 
packets continue without delay to the receiving station. Then a TAP 
logic In the network adaptor 7 assembles the packets in files, cf. Fig. 3, 
5 for a scanning and detection of virus signatures, if any. The adaptor 7 
has been symbolized in Fig. 1 by means of a magnifying glass and is 
connected to the computer 8. The computer 8 is able to scan the files 
and recognize virus signatures, if any. 

A program comprises a number of commands to an electronic data 
10 processing system. The commands are encoded in hexadecimal codes 
easy to recognize. In this manner it is possible to compare the program 
with program signatures in order to ensure that said program signature 
is in fact a portion of the complete program. A virus is in fact a program 
and can therefore be recognized in the same manner. As far as a known 
1 5 virus is concerned all the files of an electronic data processing system 
can be scanned for the signature of said virus by the system performing 
a comparison with said signature. If the signature is a portion of a file, 
said file may have been infected. A large number of programs are able to 
scan for known virus signatures. These programs render it possible to 
20 determine whether an electronic data processing system is infected by 
known virae. 

When a virus is detected, an alarm is instantaneously activated and a so- 
called "vaccine" is transmitted to the personal computers having 
received infected information, which is possible because each packet in 

25 the ring network 1 contains the addresses of the transmitting and the 
receiving stations of the information in question. The vaccine is provided 
for instance by means of the program "Clean" sold by the company 
Mcafee. This program can erase or write over a virus program typically 
placed in front of or after the actual program. If the virus program is 

30 placed in front of the actual program, an indication can be provided after 
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the erasing of or writing over said virus that the actual program does not 
start until later. A quick transmission of such a vaccine minimizes the 
spreading of the virus. The principle is particularly suited in connection 
with a ring network as the information packets pass the adaptor 7 dur- 
5 rng each running and are thereby detected as quickly as passible. 

The principle can, however, also be used in connection with a string 
network, cf. Fig, 4. All the work stations 2 coupled in a string network 
1 receive the same information. However, only the work station com- 
prising an address corresponding to the receiving address can read the 

10 information. A TAP machine 11 is also connected to the string network. 
The TAP machine is equipped with a particular adaptor and can there- 
fore also read the information. This adaptor can for instance be of the 
type spider analyzer 325-R version 2.1 sold by the company Spider 
Systems. The adaptor of the TAP machine 1 1 considers itself a receiving 

1 5 station for all the information packets although this is not the case. The 
adaptor has been set in a particular mode imp[ying that ft ignores the 
address and reads all the packets. The adaptor comprises a buffer in 
which the packets are stored. The buffer is emptied now and then, such 
as when it is full, or is about to be full. The buffer is emptied by means 

20 of network software. A plurality of packets corresponding to several 
files may optionally be transmitted at the same time. The network soft- 
ware converts the packets into a form readable by the operative system 
in question. In this manner the operative system can write the files in a 
disk or store them in the memory of the machine. 

25 The data processing system can be further developed so as also to be 
able to recognize a new virus and send a vaccine to it. The further devel- 
opment is found in the fact that the work station 8 or 11 connected to 
the network adaptor in addition comprises a neural network in form of 
a program designed to distinguish between normal and abnormal inter- 

30 change of data on the local network and to activate an alarm in case of 
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an abnormal interchange of data in form of an unknown signature poss- 
ibly corresponding to yet another unknown virus. 

The system utilizes the fact that far the most virae have certain common 
features. A machine reading from examples can therefore be pro- 
5 grammed to detect far the most virae. Such a machine can for instance 
be a Hopfield network known per se or a Bolt2mann machine being 
identical with a Hopfield network apart from one significant difference. 
When a unit in the network is to decide the succeeding function thereof, 
an arbitrary signal is programmed into the unit. This arbitrary signal 

10 "shakes" the network out of local optima in such a manner that it is 
possible to determine the globally best configurations. A surprising 
property of this network is that it is possible to determine a very simple 
relation between a predetermined weight factor and the global behaviour 
of the network although said network is very complex. The network can 

1 5 be presented to coherent in- and output signals and can thereby adjust 
the individual weight factors and consequently adapt the behaviour of 
the network to the desired behaviour. As a result, a gradual Improve- 
ment takes place of the behaviour of the network. 

According to a particular, single case the neural network can be a per- 
20 ceptron. Such a perceptron is shown in Fig. 5 and comprises one or 
several processing elements (neurons) in a layer. For the sake of simplic- 
ity, only one of these processing elements is described below. 

The perceptron of Fig. 5 comprises only one neuron and receives a 
plurality of input signals X 0 , X v X 2 .... and transmits an output signal 
25 Y'. While programming the neuron, the correct output signal correspond- 
ing to the transmitted input signals is transmitted. The input signals are 
expressed by a vector X of the dimension N + 1 . X 0 has been set to 1 . 
Each signal X p of the vector X is weighed by a weight factor W p of a 
vector W also of the dimension N + 1 . The output signal Y' is calcu- 
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lated as the sum of the products Xq * W 0 ... X n * W n corresponding to 
the vector product W 1(. If this vector product exceeds 0, Y' is set to 
1 or 0 corresponding to class 0 or 1 . Thus the neuron is able to place a 
predetermined vector in one out of two classes. Now the neuron is pres- 
5 ented to a large number of various X, each X being of the class 0 or 1 . 
During the programming, the neuron is provided with a vector "x 
together with the correct class. As a result the neuron can adjust its 
weight factors according to the formula 

W new = W 0,d + (Y - Y') ■ X. 

1 0 where Y represents the correct class of the input signal vector X in 
question, and Y' represents the output signal (W ■ X) of the neuron. This 
formula is called the programming instructions and indicates how the 
weight factors of the neuron are adjusted. 

A perceptron comprising one of more neurons can be used for recogniz- 
15 ing a pattern, such as a virus signature. A perceptron for recognizing a 
virus signature includes preferably at least two neurons. It is assumed 
that a virus signature has a maximum length of m hexadecimal figures 
of 8 bits. A hexadecimal figure of 8 bits can assume 256 various values. 
The input signal vector X must then have the dimension m - (256 + 1 ). 
20 All possible combinations of virus signatures therefore result in various 
X- vectors. 

The data structure of the perceptron is indicated below in a Pascal-like 
syntax. 



V 
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Figure value 
Class 

Input vector 
Weight vector 
Neuron 



Perceptron 



= actual figure 
= [0;1] 

= array I1..m;0..256] of figure value 

= array [l..m;0..256] of figure value 

= position 

W: weight vector 

Y': class 

Final post 

= position 

Neuron 1: Neuron 

Neuron 2: Neuron 

Final post 



15 Initially W is set to be = 0.5. 



Two procedures must be provided, viz. one for calculating the product 
X W, and one for adjusting the weight factors in accordance with the 
programming instructions. 

Then the perceptron is presented to a large number of virus signatures 
20 as well as to a large number of signatures without virus. 

When the signature is a virus, the class for the neuron 1 must be 1 , 
whereas the class for neuron 2 must be 0. When the signature is not a 
virus, the class for neuron 1 must be 0 whereas the class for neuron 2 
must be 1, i.e.: 

25 The signature is a virus :Neuron l.Y - 1 and Neuron 2.Y = 0. 

The signature is not a virus :Neuron 1.Y = 0 and Neuron 2.Y = 1 
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After the supply of a virus signature, the weight factors of the neurons 
must be adjusted by means of the programming Instructions until the 
perceptron has been stabilized such that the number of correct answers 
is no longer changed . When this is the case, no further adjustments are 
5 performed by means of the programming instructions. 

A perceptron implemented in this manner cannot only recognize known 
virae r but also unknown virae provided the signature thereof "resembles" 
the signature of the virae already presented to the perceptron. 

A new virus often resembles a known virus as many new virae are 
TO developed on the basis of known virae. A few virae are furthermore able 
to change the signature all the time by adding NOP's (no operation) to 
the signature. In other words the virus mutates. An NOP does not 
involve activity, and the functions of the virus remain unchanged. The 
signature of the virus is, however, changed. In many cases the percep- 
T 5 tron is also able to recognize such mutants as the insertion of NOP's has 
no decisive effect on the perceptron. 

Further details concerning the implementing of programming instructions 
in form of programming algorithms appear from the literature "Neuro- 
computing" by Robert Hecht-Nielsen published by Addison-Wesley Pub- 
20 lishing Company. ISBN 0-201-09355-3. Reference is in particular made 
to paragraphs 3.3 and 3.4 forming part of the present specification. 

A particular advantage by the data processing system according to the 
invention is that each user does not have to scan the programs in each 
personal computer. According to the invention, the network communi- 
25 cation is instead scanned centrally. 



The computers not or only seldomly transmitting on the network 1,1' 
can, however, be infected and must therefore be checked in a conven- 
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tional manner by each user. 

Previously the problem applied to the lack of possibility of localizing the 
transmitting station having infected the network. The system according 
to the invention renders it possible to locate the station before the 
5 "traces" have been erased. 

The data processing system according to the invention is not limited to 
be used in connection with ring or string networks. Usually, it can be 
used in connection with hypercube multiprocessor structures for 
instance being characterised by having 2 n processors interconnected via 

0 an n-dimensional cubus, cf. Fig. 6 showing examples of hypercube 
structures. Reference is in this connection made to the literature "multi- 
processors" by Daniel Tabak, Printice Hall Series in Computer Engineer- 
ing, especially chapter 2 forming part of the present specification. Each 
processor comprises direct and separate communication paths to N and 

5 other processors. These paths correspond to the edges of the cubus. 
Hypercube structures are implemented by Intel and Floting Point System 
indicating transfer speeds of 1 M bit/sec. 

The data processing system according to the invention can also be used 
in connection with Switch network structures and vector processors. In 
0 case of switch network structures, it can be necessary to use several 
network adaptors, each network adaptor being connected to a computer 
which together with the adaptor carry out an assembling and scanning 
of files on the network. 
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Claims. 

1. A data processing system comprising a plurality of computers 
interconnected through a local network, preferably in form of a ring 
network, said network being connected to a network adaptor which is 
5 able to receive all information on the network, characterised in 
that the network adaptor (7) is connected to a computer (8), which 
together with the adaptor (7) can perform an assembling and scanning 
of substantially all fifes on the network (1 ) and carry out a recognition of 
virus signatures, if any, in the files. 

10 2. A data processing system as claimed in claim 1, character- 
ised in that the computer (8) connected to the adaptor (7) is adapted 
to provide information on the place of origin of infected data, if any, as 
well as on the position to which said infected data have been trans- 
mitted . 

15 3. A data processing system as claimed in claim 1 or 2, charac- 
terised in that the computer (2) connected to the adaptor {7) is 
adapted to transmit a so-called "vaccine" to the computers (8) optionally 
infected by said virus or said vfrae. 

4. A data processing system as claimed in claim 3, character - 
20 ised in that the vaccine is implemented by causing the computer (8) 

connected to the adaptor (7) to start a scanning on the infected com- 
puters (8) by means of a program known perse. 

5. A data processing system as claimed in one or more of the preced- 
ing cfaims 1 to 4, characterised in that the computer (8) con- 

25 nected to the adaptor (7) comprises a neural network in form of a pro- 
gram adapted to recognize the usual interchange of data on the local 
network (1) and to actuate an alarm if an unusual interchange of data, 
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such as an unknown virus signature, is recognized. 

6. A data processing system as claimed in claim 5, character- 
ised in that the neural network comprises neuron-like elements. 

7. A data processing system as claimed in claim 5 f character- 
5 i s e d in that the neural network is composed of a Hopfield network. 

8. A data processing system as claimed in claim 5, character- 
ised in that the neural network is composed of a Boltzmann machine. 
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AMENDED CLAIMS 

[received by the International Bureau on 24 September 1993 (24.09.93); 

original claims 6-8 cancelled; 
original claims 1-5 amended; 
C2 pages)] 

1. A data processing system comprising a plurality of computers 
interconnected through a local network, preferably in form of a ring 
network, said network being connected to a network adaptor which is 
5 able to receive all information on the network, characterised in 
that the network adaptor (7) Is connected to a computer {8) r which 
together with the adaptor (7) can perform an assembling and scanning 
of substantially alf files on the network (1 ) and carry out a recognition of 
virus signatures, if any, in the files. 

10 2. A data processing system as claimed in claim 1 , character- 
i s e d in that the computer (8) connected to the adaptor (7) is adapted 
to provide information on the place of origin of Infected data r if any, as 
well as on the position to which said infected data have been trans- 
mitted. 

15 3. A data processing system as claimed in claim 1 or 2, charac- 
terised in that the computer (2) connected to the adaptor (7) is 
adapted to transmit a so-called " vaccine 1 * to the computers (8) optionally 
infected by said virus or said virae. 

4. A data processing system as claimed in claim 3, character* 
20 i s e d in that the vaccine is implemented by causing the computer C8) 

connected to the adaptor (7) to start a scanning on the infected com- 
puters (8) by means of a program known per se. 

5 . A data processing system as claimed in one or more of the preced- 
ing claims 1 to 4, characterised in that the computer (8) con- 

25 nected to the adaptor (7) comprises a neural network in form of a pro- 
gram adapted to recognize the usual interchange of data resembling vira 
on the local network (1 ) and to actuate an alarm if an unusual interchain- 
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